Apache has patched CVE-2026-23918, a critical flaw in Apache HTTP Server’s HTTP/2 handling that Apache describes as a “double free and possible RCE.” The issue affects Apache HTTP Server 2.4.66 and was fixed in 2.4.67, released on May 4, 2026.
The CVE-2026-23918 vulnerability matters because it can be abused remotely and without authentication. Public reporting says the bug can cause a denial-of-service condition and, under certain conditions, may also open a path to remote code execution, making it one of the most serious issues addressed in Apache’s latest security release.
Apache credits Bartlomiej Dmitruk of striga.ai and Stanislaw Strzalkowski of isec.pl with reporting the flaw. Apache’s own vulnerability page shows it was reported to the security team on December 10, 2025, fixed in source on December 11, 2025, and shipped to users in the 2.4.67 release months later.
According to Apache and researcher commentary cited by The Hacker News, the bug is a double-free in mod_http2, specifically in the stream cleanup path. It can be triggered when a client sends an HTTP/2 HEADERS frame and then immediately sends RST_STREAM with a non-zero error code before the stream is fully registered by the multiplexer.
That sequence can cause two callbacks to run in a way that pushes the same stream object into the cleanup array twice. When Apache later destroys the stream entries, memory that has already been freed gets released again. In practical terms, the vulnerability in CVE-2026-23918 is a memory-management flaw that can crash worker processes and, in the right environment, be shaped into code execution.
The denial-of-service path appears to be the easiest outcome. The researchers told The Hacker News that one TCP connection and two HTTP/2 frames are enough to crash a worker in default deployments that use mod_http2 with a multi-threaded MPM. They also noted that MPM prefork is not affected, while the possible RCE path depends on an APR configuration using the mmap allocator, which is said to be the default on Debian-derived systems and in the official httpd Docker image.
As for exploitation maturity, public reporting says the researchers built a working CVE-2026-23918 poc for x86_64 in lab conditions. They also said practical exploitation still needs helpful conditions such as an information leak and favorable memory reuse, so code execution is more demanding than simple service disruption.
At this stage, public details for CVE-2026-23918 point much more clearly to process crashes and worker instability than to widely reproducible RCE in the field. There are also no vendor-published CVE-2026-23918 iocs, so defenders should focus on version exposure, unexpected worker crashes, and suspicious HTTP/2 reset patterns rather than on a stable signature set.
The core fix is to upgrade Apache HTTP Server from 2.4.66 to 2.4.67. Apache’s security advisory explicitly recommends moving to the patched version, and SecurityWeek notes that the release fixes 11 vulnerabilities, including this critical HTTP/2 issue.
For immediate triage, defenders should identify internet-facing systems where mod_http2 is enabled and where threaded MPMs are in use. That is the most practical way to detect CVE-2026-23918 exposure because the attack hinges on HTTP/2 request handling, not on a dropped malware artifact or traditional post-exploitation beacon.
If emergency patching is delayed, reducing exposure to HTTP/2 traffic may help shrink the attack surface until updates are applied. The CVE-2026-23918 payload described publicly is not a conventional file or binary but a crafted sequence of HTTP/2 frames designed to force the faulty cleanup path, so network-facing Apache instances should be prioritized first.
From a risk perspective, CVE-2026-23918 affects organizations that rely on Apache HTTP Server 2.4.66 for public web workloads, especially where HTTP/2 is enabled by default or broadly deployed for performance reasons. That includes standard Linux-based web servers as well as containerized deployments using the official Apache image.
What is CVE-2026-23918 and how does it work?
It is a critical double-free flaw in Apache HTTP Server’s HTTP/2 handling. A specially timed sequence of HTTP/2 frames can push the same stream object into cleanup twice, leading to worker crashes and potentially enabling remote code execution under favorable conditions.
When was CVE-2026-23918 first discovered?
Apache’s vulnerability page says the issue was reported to the security team on December 10, 2025. The fix landed in source on December 11, 2025, and the patched 2.4.67 release was published on May 4, 2026.
What is the impact of CVE-2026-23918 on systems?
The most immediate impact is denial of service through crashed Apache workers. Public reporting also says the flaw may allow remote code execution, although that path appears more complex and environment-dependent than the crash scenario.
Can CVE-2026-23918 still affect me in 2026?
Yes. Systems can still be exposed in 2026 if they are running Apache HTTP Server 2.4.66 with mod_http2 enabled and have not yet been updated to 2.4.67. The risk is especially relevant for deployments using threaded MPMs.
How can I protect myself from CVE-2026-23918?
Upgrade to Apache HTTP Server 2.4.67 as soon as possible, identify exposed HTTP/2-enabled deployments, and prioritize externally reachable servers for remediation. Where patching cannot happen immediately, reducing HTTP/2 exposure can help lower short-term risk.
The post CVE-2026-23918: Critical Apache HTTP/2 Flaw Can Trigger DoS and Possible RCE appeared first on SOC Prime.
For security professionals evaluating threat intelligence vendors, the Gartner Magic Quadrant offers an indispensable perspective. Gartner analysts’ thorough and nuanced analysis cuts through the noise, making it easier for teams to understand each platform’s approach, strengths, and considerations—and helping them determine whether a particular vendor fits their organization’s unique needs.
That’s why we’re honored to share that Gartner has named Recorded Future a Leader in the first-ever Magic Quadrant™ for Cyberthreat Intelligence Technologies. This new report evaluated 17 vendors in the space, providing a comprehensive look at the competitive landscape.
“In our view, being recognized as a Leader means something specific to us: we feel it reflects our ability to help our customers with the outcomes they depend on. These include stopping threats pre-attack, running intelligence autonomously at a scale no human team can match, and making every security control they own more effective," said Colin Mahony, CEO, Recorded Future. “We believe this recognition reflects both the trust our customers place in us and the strength of the outcomes we help them achieve.”
A Gartner Magic Quadrant is a culmination of research in a specific market, giving you a wide-angle view of the relative positions of the market’s competitors. By applying a graphical treatment and a uniform set of evaluation criteria, a Magic Quadrant helps you quickly ascertain how well technology providers are executing their stated visions and how well they are performing against Gartner’s market view.
For Recorded Future, this meant that Gartner analysts spoke directly with our customers about their real-world experiences—the challenges they face, how they use our Platform, and the outcomes they've realized. We feel their voices shaped our position in the Magic Quadrant, just as they’ve always shaped our product offerings and roadmap.
The new Gartner report offers a snapshot of what the analysts heard from customers. We haven’t stopped working since then and there’s much to talk about.
In conversations throughout 2025, our customers gave us their thoughts about product complexity, pricing models, and the challenges of scaling intelligence across their teams. As a result of their input, we’ve fundamentally changed how they can access and make the most of Recorded Future threat intelligence.
Here are the highlights of our continued commitment to simplicity and innovation to provide better experiences for our customers in 2026:
1. Goodbye, modules. Hello, simplicity. Meet our four new solutions.
Our four new solution areas cover the four major attack surfaces—an organization’s systems, brand, supply chain, and payment methods:
The solutions are built on a unified intelligence foundation to provide consistency, accuracy, and alignment around shared security outcomes. And they integrate with other security solutions like CrowdStrike Falcon and Google SecOps, bringing the benefits of Recorded Future intelligence and rich context directly into common SIEM and EDR workflows.
2. New pricing packages for less friction, more intelligence
We’re offering the four solutions in new pricing packages designed to fit customer needs:
In addition, integrations are included. Now your tools in the security stack—SIEM, SOAR, firewall, endpoint protection, ticketing system, and more—can leverage Recorded Future intelligence without integration fees or limitations.
3. Expansion into Latin America
The threat landscape knows no geographical borders, and neither do we. We’ve expanded Recorded Future’s operations into Latin America, giving security teams in the region better access to the expertise and support they need to mount a successful proactive defense.
4. Autonomous Threat Operations for autonomous defense
In February, we launched Autonomous Threat Operations to help customers move from isolated threat intelligence insights and manual workflows to automated and continuous defensive actions across the entire security ecosystem. Complete with AI-powered, 24/7 autonomous threat hunting and multi-source correlation in the Intelligence Graph®.
As we continue to build on our vision of moving from automated to autonomous operations, we’re developing Recorded Future AI and agentic experiences to help our customers reduce alert fatigue, save time on research, and run threat hunts faster so they can detect and defend at scale.
We’re proud to be recognized by Gartner as a Leader in Cyberthreat Intelligence Technology, and we’ll continue innovating for our customers to help them mitigate risk and stay ahead of evolving threats.
Get the report to review Gartner analysis and see how Recorded Future fits your CTI program needs.
____________________________________________________________________________________________________________________________________
Gartner, Magic Quadrant for Cyberthreat Intelligence Technologies, By Jonathan Nunez, Carlos De Sola Caraballo, Jaime Anderson, 04 May 2026.
Gartner and Magic Quadrant are trademarks of Gartner, Inc. and/or its affiliates.
Gartner does not endorse any company, vendor, product or service depicted in its publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner publications consist of the opinions of Gartner’s business and technology insights organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this publication, including any warranties of merchantability or fitness for a particular purpose.
Behind every ransomware demand, botnet, or threat activity group is a server sitting in a data center. While most legitimate hosting providers evict threat actors once identified, a specific class of providers does the opposite. Recorded Future® calls these providers threat activity enablers(TAEs).
A threat activity enabler (TAE) is an individual, organization, or service provider that supports malicious cyber activity by providing infrastructure or services leveraged by threat actors. More commonly, this includes providers that lack a formal physical or virtual storefront, conduct business only via email or messaging platforms, and do not enforce know-your-customer (KYC) policies. It also includes hosting providers that selectively respond to abuse reports or law enforcement inquiries to maintain plausible deniability, as well as more traditional self-proclaimed “bulletproof” providers that openly ignore oversight or advertise non-cooperation.
TAE networks serve as the backbone for ransomware groups, infostealer campaigns, botnets, and even state-sponsored threat actor operations. What distinguishes TAE networks is the sustained concentration of malicious infrastructure within their networks.
TAEs are masters of obfuscation and are highly resilient, hiding behind layers of decoy companies to evade accountability. They use several core tactics:
Recorded Future actively identifies high-risk TAE networks through its Network Threat Density List. These networks are ranked by their Threat Density Score, calculated from the concentration of validated malicious activity relative to the total number of IP address prefixes a network announces.
This approach cuts through the noise to quickly expose infrastructure that is disproportionately associated with threat activity, a core characteristic of TAEs, allowing network defenders to prioritize the infrastructure most likely to pose material risk.
Tracking TAE networks allows security teams to move from reacting to individual threats to proactively managing infrastructure risk. In practice, this means applying TAE intelligence across three core areas: prevention, detection, and exposure.
Figure 3: Three steps for operationalizing TAE intelligence
TAEs are persistent and continuously evolving, adapting quickly in response to sanctions, enforcement actions, and exposure. While their identities may change, their underlying infrastructure patterns often remain consistent.
In April 2025, a TAE tracked by Recorded Future, Virtualine Technologies, shifted its IPv4 resources to a newly registered network that fraudulently impersonated a legitimate German software firm, metaspinner net GmbH. Because this provider’s historical infrastructure patterns were already being tracked, the newly created network was immediately identified as a front. Within weeks, this network became a primary distribution hub for malware families such as Latrodectus and AsyncRAT. When the operation was eventually exposed, Virtualine Technologies simply pivoted the infrastructure to a new identity within one of its existing autonomous systems to maintain its operations.
This case underscores the reality of TAE networks: while identities, ownership records, and corporate fronts may change, the underlying infrastructure and its associated risk persist, making continuous tracking essential to identifying and prioritizing the networks that will drive future threat activity, as demonstrated by Virtualine subsequently emerging as the highest-risk TAE network in 2025.
In May 2025, the European Union sanctioned UK-registered hosting provider Stark Industries Solutions and its executives for enabling Russian state-sponsored cyber operations. However, enforcement did not halt Stark Industries’ operations. In the weeks leading up to the sanctions announcement, Stark Industries began transferring IP resources, modifying RIPE registrations, and shifting infrastructure to affiliated entities.
Despite the sanctions, the underlying infrastructure, routing relationships, and operational patterns remained traceable across these new fronts. Continuous monitoring of TAE ecosystems enables defenders to detect these pivots in near real time, revealing continuity beneath corporate rebrands and legal restructurings. This case underscores a broader reality: sanctions may change names and ownership records, but without infrastructure-level visibility, the enabling networks behind malicious activity often persist.
TAEs represent an ongoing challenge. While individual campaigns and threat actors may come and go, the infrastructure that supports them remains adaptive and deliberately resilient.
For security leaders, this requires an additional shift from solely reacting to individual indicators to understanding and prioritizing the infrastructure that enables threat activity at scale. By identifying and tracking high-risk networks, organizations can reduce investigative noise, focus resources on the most impactful threats, and take proactive steps to limit exposure before attacks materialize.
Ultimately, addressing TAEs is not just about detection; it’s also about disrupting the conditions that enable modern cyber threats to operate.
Edge security appliances remain high-value targets, especially when a flaw can be exploited before a patch is widely available. The CVE-2026-0300 vulnerability is a critical buffer overflow in the User-ID Authentication Portal, also known as Captive Portal, in Palo Alto Networks PAN-OS. Palo Alto rates it 9.3/10 when the portal is exposed to the internet or other untrusted networks, and says an unauthenticated attacker can execute arbitrary code with root privileges on affected PA-Series and VM-Series firewalls by sending specially crafted packets.
For teams beginning CVE-2026-0300 analysis, the most important details for CVE-2026-0300 are the exposure conditions: the issue applies only when User-ID Authentication Portal is enabled, and Palo Alto says risk is greatly reduced when access is limited to trusted internal IP addresses. The company also says limited exploitation has already been observed against portals exposed to untrusted IP space or the public internet.
In practice, CVE-2026-0300 affects only PA-Series and VM-Series firewalls configured to use the User-ID Authentication Portal. Prisma Access, Cloud NGFW, and Panorama are not impacted, which makes configuration review as important as version review when triaging exposure.
The vulnerability in CVE-2026-0300 is a buffer overflow in PAN-OS’s User-ID Authentication Portal service. According to Palo Alto, exploitation does not require credentials or user interaction, and the attacker’s goal is remote code execution as root through specially crafted network packets. SecurityWeek likewise describes the flaw as a zero-day used to hack some firewall models, underscoring that this is not a theoretical issue.
The publicly described CVE-2026-0300 payload is not a malware file dropped to disk but a malicious packet sequence sent to the Captive Portal component. Neither the vendor advisory nor the cited media reports includes a public CVE-2026-0300 poc, but the confirmed in-the-wild exploitation means defenders should assume capable threat actors already understand the triggering conditions well enough to weaponize them.
From a risk standpoint, CVE-2026-0300 detection should focus on externally reachable Authentication Portal instances and signs of attempted access to that service from untrusted networks. Palo Alto’s advisory does not publish packet-level CVE-2026-0300 iocs, so defenders are better served by identifying exposed portal configurations, narrowing allowed source IP ranges, and prioritizing internet-facing firewalls for remediation.
Effective CVE-2026-0300 mitigation starts with reducing exposure before fixes land. Palo Alto recommends either restricting User-ID Authentication Portal access to trusted zones/internal IP addresses or disabling the portal entirely if it is not required. That advice is especially important because, at disclosure, the flaw was still unpatched, with the first wave of fixes expected on May 13, 2026 and additional releases on May 28, 2026 across supported 12.1, 11.2, 11.1, and 10.2 trains.
To Detect CVE-2026-0300 exposure in your environment, verify whether Device > User Identification > Authentication Portal Settings has the portal enabled and determine whether it is reachable from the internet or any untrusted network segment. Palo Alto’s advisory makes clear that customers following this hardening model are at greatly reduced risk compared with deployments that leave the service publicly accessible.
Organizations should also map affected firewalls to Palo Alto’s target fixed versions and prepare an upgrade plan as soon as the relevant release becomes available. Because limited exploitation is already underway, this is a case where configuration hardening and emergency change control should happen in parallel rather than waiting for normal maintenance windows.
What is CVE-2026-0300 and how does it work?
CVE-2026-0300 is a critical PAN-OS buffer overflow in the User-ID Authentication Portal (Captive Portal). Palo Alto says an unauthenticated attacker can send specially crafted packets to the service and achieve arbitrary code execution with root privileges on affected PA-Series and VM-Series firewalls.
When was CVE-2026-0300 first discovered?
Palo Alto’s advisory says the issue was discovered in production use and was published on May 5, 2026. The public coverage from The Hacker News and SecurityWeek followed on May 6, 2026.
What is the impact of CVE-2026-0300 on systems?
The impact is severe: unauthenticated remote code execution as root on exposed firewalls. Because the flaw affects security infrastructure at the network edge, successful exploitation could give an attacker privileged control over a highly sensitive enforcement point.
Can CVE-2026-0300 still affect me in 2026?
Yes. Any affected PA-Series or VM-Series firewall can still be at risk in 2026 if it has User-ID Authentication Portal enabled and exposed to untrusted IP addresses or the public internet, especially until the relevant patched PAN-OS release is installed.
How can I protect myself from CVE-2026-0300?
Restrict User-ID Authentication Portal access to trusted internal IPs, disable it if it is unnecessary, and move to Palo Alto’s fixed PAN-OS builds as soon as they are available for your release train. The vendor explicitly says these steps materially reduce risk while active exploitation continues.
The post CVE-2026-0300: Palo Alto PAN-OS Zero-Day Enables Root RCE on Exposed Firewalls appeared first on SOC Prime.
There’s a certain energy you can only find at Recorded Future. Take that energy and bring it to London’s “Silicon Roundabout” and you get the perfect spot for Futurists to build and innovate.
Across the globe, Recorded Future is 1000+ employees working towards the same mission: Securing Our World With Intelligence.
Our London office – one of our most storied hubs – hosts a range of departments supporting both local, regional, and global operations. The office brings together 100+ cross-functional professionals from People & Talent Acquisition, Finance, Sales, Marketing, Global Services, Research, and more!
Our story in London didn’t start in the high-rise, but in a converted attic with just a handful of people and a big mission.
Joe Rooke
Director Risk Insights, Insikt Group
This passion for building something great fueled incredible growth. Sam Pullen, Director of Intelligence Services, remembers when the entire EMEA team was just about 20 people. Since 2018, we’ve gone from servicing ~30 customers in the region to ~700 clients now.
On the left: First Recorded Future office in London. On the right: Recorded Future's newest office
On the left: First Recorded Future office in London. On the right: Recorded Future's newest office
This modern high-rise building’s open-plan layout offers quite a few collaboration spaces across our office, where the team likes to have small team meetings, breaks, or even lunch.
Like all Recorded Future offices, our meeting rooms follow a unique naming convention. While Boston uses countries, and Sweden volcanoes - London chose islands. Rumors say we picked islands following a 95-day rain streak – we can neither confirm nor deny. So, in our London office, you’ll find Futurists collaborating in rooms like Bora Bora, Crete, and even San Andres.
What truly defines our London office is the sense of camaraderie – whether that’s competing in a friendly team padel game, testing your dartboard skills, or truly memorable summer & end of year celebrations.
Whether over summer picnics and pedalos in Hyde Park years, playing 5-a-side football in the pouring rain, or at the most recent Christmas party at the Savoy - our Futurists celebrate wins together.
We asked Sam and Joe what has been the highlight of their long tenure at Recorded Future: the opportunity to build. For Sam, it has been the opportunity to build great relationships with clients over nearly a decade. For Joe, it has been the opportunity to build new solutions and new ways to work towards our mission.
Joe Rooke
Director Risk Insights, Insikt Group
Ready for your next move? Join the team!
I’ve been thinking about coal mines. How you dig a hole in the earth, extract everything valuable, leave a scar, and walk away. Then someone comes along decades later and says, what if we filled it with water and made it beautiful? Feels like a metaphor for something, but I can’t quite land it. Germany … Continue reading Breach of Confidence 1 May 2026 →
The post Breach of Confidence 1 May 2026 appeared first on Security Boulevard.
A newly disclosed CVE-2026-41940 vulnerability in cPanel & WHM has put internet-facing hosting infrastructure under urgent scrutiny. The flaw carries a CVSS score of 9.8 and can let an unauthenticated remote attacker bypass authentication and gain administrative access, while cPanel’s advisory says the issue affects cPanel software, including DNSOnly, across all versions after 11.40.
For defenders, CVE-2026-41940 detection should focus on exposed control panel instances, emergency patch validation, and session-file triage rather than malware hunting. Hosting provider KnownHost said the flaw was being actively exploited in the wild, and that a public technical analysis plus exploit code had already been released by watchTowr, raising the likelihood of broader opportunistic abuse.
The business risk is substantial because successful exploitation can give attackers control over the cPanel host, its configurations and databases, and the websites it manages. A simple Shodan query returned roughly 1.5 million exposed cPanel instances, underscoring how much attack surface may be available to both targeted and mass scanning activity.
The bug is describes as an authentication bypass rooted in CRLF injection during the login and session-loading process in cPanel & WHM. According to its technical overview, cpsrvd writes a new session file to disk before authentication completes, and an attacker can manipulate the whostmgrsession cookie so attacker-controlled values avoid the expected encryption path and are written into the session file unsanitized.
In practical terms, the vulnerability in CVE-2026-41940 lets an attacker inject arbitrary properties such as user=root into a session file, then trigger a reload so the application treats the session as administrative. That is why this issue is especially dangerous for shared hosting environments and server operators: it is not merely a login bug, but a route to privileged control over the management plane itself.
Unlike a malware dropper, the CVE-2026-41940 payload is a crafted authentication request that abuses newline injection and malformed session values to poison pre-auth session data. A public CVE-2026-41940 poc was already available through third-party research.
Official details for CVE-2026-41940 are broader than the exploit mechanics alone. cPanel says the issue affects cPanel software including DNSOnly, while patched builds were issued for 11.86.0.41, 11.110.0.97, 11.118.0.63, 11.126.0.54, 11.130.0.19, 11.132.0.29, 11.134.0.20, and 11.136.0.5, alongside WP Squared 136.1.7. TheCyberExpress also highlighted that administrators must verify the installed version and restart cpsrvd after updating.
Just as importantly, CVE-2026-41940 affects not only directly exposed cPanel & WHM systems but also operational workflows that rely on pinned builds or disabled automatic updates. That matters because cPanel warned that such servers will not auto-update and must be manually remediated as a priority, while unsupported versions may also remain exposed until organizations move to supported release tracks.
The vendor’s primary guidance is straightforward: update immediately to one of the fixed versions using /scripts/upcp –force, confirm the installed build with /usr/local/cpanel/cpanel -V, and restart the service with /scripts/restartsrv_cpsrvd. cPanel also says administrators should manually identify systems where updates are disabled or version pinning prevents automatic remediation.
When patching cannot happen right away, cPanel recommends temporary containment steps that include blocking inbound traffic on ports 2083, 2087, 2095, and 2096 at the firewall or stopping cpsrvd and cpdavd. TheCyberExpress echoed the same short-term advice and noted that some providers restricted panel access while broader patch rollout was underway.
To detect CVE-2026-41940, defenders should use the vendor’s filesystem-based detection script and review suspicious entries under /var/cpanel/sessions. cPanel’s script looks for session artifacts such as token_denied appearing together with cp_security_token, authenticated attributes inside pre-auth sessions, suspicious tfa_verified states, and malformed multi-line password values. Those published checks effectively act as CVE-2026-41940 iocs for post-exploitation triage.
If the script flags likely compromise, cPanel says defenders should purge affected sessions, force password resets for root and all WHM users, audit /var/log/wtmp and WHM access logs, and look for persistence such as cron entries, SSH keys, or backdoors. In other words, CVE-2026-41940 mitigation should be handled as both patching and incident response, not just a routine version upgrade. When patching cannot happen right away, cPanel recommends temporary containment steps that include blocking inbound traffic on ports 2083, 2087, 2095, 2096 and http ports 2082, 2086 at the firewall.
What is CVE-2026-41940 and how does it work?
It is a critical cPanel & WHM authentication bypass flaw that stems from session handling and CRLF injection in the login/session-loading flow. Attackers can manipulate pre-auth session data and ultimately create administrator-level access without valid credentials.
When was CVE-2026-41940 first discovered?
The private discovery date has not been publicly disclosed in the sources reviewed. Publicly, cPanel acknowledged the issue in a security advisory published on April 28, 2026.
What is the impact of CVE-2026-41940 on systems?
Successful exploitation can give an unauthenticated attacker administrative access to cPanel & WHM, which can translate into control over the host system, configurations, databases, and hosted websites. In shared hosting environments, that can turn a panel compromise into a full platform compromise.
Can CVE-2026-41940 still affect me in 2026?
Yes. Any exposed system that has not been updated to a fixed build can still be at risk in 2026, especially if automatic updates are disabled, the server is pinned to a vulnerable version, or it is running an unsupported release that has not yet been moved to a supported patched branch.
How can I protect myself from CVE-2026-41940?
Apply the vendor’s patched build immediately, restart cpsrvd, run the detection script against /var/cpanel/sessions, review for suspicious session artifacts, and treat any confirmed hit as a possible compromise requiring session purges, password resets, and log review. Short-term firewall restrictions can reduce exposure, but cPanel make clear that patching is the priority.
The post CVE-2026-41940: Critical cPanel & WHM Authentication Bypass Exposes Hosting Servers to Admin Takeover appeared first on SOC Prime.
Last week’s reporting on unauthorized access to Claude Mythos reads as an AI security story. It is also, structurally, a North Korea (DPRK) story. Even if the current suspects turn out to be Discord hobbyists.
Mythos was meant to be contained. Within hours of the public Project Glasswing announcement, a third-party contractor environment became the access vector. Not because Anthropic did something wrong. Because controlled release, at the scale modern enterprise software operates, is a goal rather than a guarantee.
The interesting question isn’t who got in this time. It’s who gets in next, and their economics.
The group accessed Mythos the same day it was announced, guessing the endpoint based on Anthropic’s naming conventions for prior models. The vector was an individual employed at a third-party contractor, not Anthropic’s core infrastructure. Source characterizations point to a research community “not wreaking havoc” with the model.
If the coverage only centers on Anthropic’s security posture or the AI safety debate, we’re missing an important angle.
The structural signal is that any preview or controlled-access model release has porous boundaries by design. Access controls on paper (contracts, NDAs, approved vendor lists) differ from those in practice. Every partner brings their own contractors, endpoints, and people with legitimate credentials and uneven security hygiene. That is the real control surface, not the cryptographic perimeter around the model itself. Which makes this a supply chain problem that happens to be about AI, not an AI problem that happens to involve vendors.
AI policy discourse is locked on US versus China, including energy, chip controls, export rules, sovereign AI posture, and who wins the race.
Structurally missing from the larger conversation is the one state actor whose entire foreign currency revenue stream is cyber-enabled theft. DPRK doesn’t need to win any race. They need a 20-30% productivity gain in existing operations.
The pipeline is documented. Insikt Group’s Crypto Country estimated that regime-linked cryptocurrency theft reached roughly $3 billion through 2023. The Multilateral Sanctions Monitoring Team (successor to the UN Panel of Experts after Russia’s 2024 veto) has since done the harder primary work. MSMT’s October 2025 report documents $2.8 billion stolen from cryptocurrency companies between January 2024 and September 2025 across more than 40 heists, with proceeds explicitly tied to WMD and ballistic missile program funding. The State Department updated the tally in January 2026: another $400 million stolen in the three months since publication, bringing the 2025 totals above $2 billion.
Every successful crypto exchange intrusion ends up on a launch pad.
Crypto exchange intrusions are labor-intensive at every phase. Recon, social engineering at scale (fake developer personas on GitHub and LinkedIn, spear-phishing of individual engineers at wallet providers), credential harvesting, post-exploit lateral movement, key extraction, and laundering.
Agentic capability compresses the cycle to include the same operator-hours, more successful intrusions, and more stolen $$$ per operator.
Bybit is an easy example. The FBI attributed approximately $1.5 billion in stolen virtual assets to TraderTraitor in February 2025. The intrusion chain ran months of patient targeting against a single Safe{Wallet} system administrator via phishing, followed by post-compromise operational patience. These types of attacks are expensive, time-intensive, and still extraordinarily productive.
Lazarus and TraderTraitor don’t need AGI. They need the productivity lift that turns a junior operator into a senior one and shaves weeks off the planning phase. It doesn’t have to be Mythos specifically. Any comparable capability through a comparable vector does the job.
Better tools mean more successful intrusions. More successful intrusions mean more stolen crypto. More stolen crypto means more missiles.
Three different tradecraft patterns keep getting conflated in media coverage. They are not the same TTP, and treating them as one weakens the response on all three.
1. Contractor misuse. A legitimately credentialed employee at a third-party vendor uses their access for unauthorized purposes. This is the Mythos story. The credentials and access are real, though the intent is variable. Defenses (easy to say, hard to do well): telemetry, behavioral monitoring, and least-privilege scoping at the vendor tier.
2. Fraudulent hiring. An adversary places its own operatives inside the target through stolen or synthetic identities, often via remote IT contracting. This is the DPRK IT worker scheme. Insikt’s Inside the Scam documents PurpleBravo’s infrastructure: front companies in China spoofing legitimate IT firms, and a malware ecosystem (BeaverTail, InvisibleFerret, OtterCookie) targeting the cryptocurrency industry. The credentials are real, but the identities are fake. Defenses: identity verification at hire (in-person interviews to avoid AI tricks), ongoing personnel vetting, geographic and behavioral baselining.
3. Supply chain compromise. A trusted vendor’s systems get breached, and the attacker uses that vendor’s legitimate distribution channel to reach the real target. TeamPCP’s March 2026 LiteLLM compromise hit the AI toolchain directly, poisoning Trivy (a defensive security scanner) to reach a package with 95 million monthly downloads. Defenses: build-pipeline integrity, dependency monitoring, signed artifacts.
These three attack vectors converge on the same truth. Any preview or limited-release AI program that depends on third parties is exposed to all three vectors simultaneously. DPRK is the actor most motivated across the full triangle because the revenue case is specific, measurable, and directly beneficial for the regime. They are incentivized to be “AI native.”
In the security industry, we need to stop thinking about AI access as purely a lab problem when it’s also a sanctions problem. The great-power competition framing obscures the actor already online, with a rich history of monetizing cyber heists to fund missiles.
“Limited release” is a wonderful bumper sticker. The AI reality, from a threat-modeling perspective, is a countdown to turbo-charging adversarial capabilities.
The honest conversation is that perimeter-style AI “controlled access” is less effective against State-sponsored adversaries. A productive security path is a distinct preview infrastructure, aggressive telemetry, canaries, and third-party access tied to personnel-level vetting rather than contractual attestation. (Guessable endpoints should be the first thing dead.)
Crypto exchanges and custodians: your threat model needs to anticipate what Lazarus can do 3 to 6 months from now, not what they did last quarter. Assume they improve faster than your defenses do.
Policymakers: DPRK is a first-class entity in AI access governance. The Multilateral Sanctions Monitoring Team framework already documents cyber-enabled sanctions evasion thoroughly. What it doesn’t yet do is name AI capability access as a sanctions-relevant category. Dual-use export controls have governed the transfer of semiconductor and missile technology for decades. AI capability is the obvious next category.
Corporate CISOs (outside the AI-lab orbit): your third-party contractor environments are now inside the AI capability threat surface, whether you opted in or not. Inventory accordingly.
Mythos is a preview of an access pattern. Any actor whose business model is stealing money to build weapons will find the third-party seam. This time, it was hobbyists. DPRK has spent two decades proving why nonproliferation is the right frame here.
Originally published at DKIM2 Explained: What’s Changing and What to Do by Hagop K..
Our team was at a deliverability summit where ...
The post DKIM2 Explained: What’s Changing and What to Do appeared first on EasyDMARC.
The post DKIM2 Explained: What’s Changing and What to Do appeared first on Security Boulevard.
AI Security Questionnaires: Why Most Startups Fail (And the Trust Stack That Fixes It) It’s Monday. Your enterprise prospect just sent a 312-question security questionnaire. Forty of those questions are about AI — model bias, training data lineage, ISO 42001, NIST AI RMF. Your Series B closes in six weeks. You don’t have answers. You’re […]
The post AI Security Questionnaires: Why Most Startups Fail (And the Trust Stack That Fixes It) appeared first on Cyber security services provider, data privacy consultant | Secureflo.
The post AI Security Questionnaires: Why Most Startups Fail (And the Trust Stack That Fixes It) appeared first on Security Boulevard.
In Episode 20 of The Defender’s Log, host David Redekop sits down with Amsterdam-based tech veteran Chris Buijs to discuss the often-overlooked backbone of internet security: DNS (Domain Name System).
Buijs, who transitioned from an electrician to a network architect, notes that many organizations treat DNS as a “utility” rather than a security asset. Because services like Microsoft Active Directory include DNS by default, IT teams often adopt a passive, “next-next-finish” mentality.
“It’s the protocol with the most RFCs because we’re constantly building security and encryption on top of it,” Buijs explains. “But if DNS goes down, everything goes down. No IP, no business.”
A major hurdle in modern security is the disconnect between departments. In large enterprises, the Networking, Security, and DNS teams often operate in isolation. Buijs argues that for a true Zero Trust posture, DNS must be integrated into the core security architecture, not managed as a lonely outlier.
As the industry moves toward DevSecOps, DNS remains the first and last line of defense. Don’t let it be an afterthought.
Full episode of The Defender’s Log here:
Why DNS Is Your First Line of Cyber Defense | Chris Buijs | Defender’s Log
View it on YouTube: https://www.youtube.com/watch?v=O1j4eY-blfM
Listen to the episode on your favourite podcast platform:
Spotify
https://open.spotify.com/episode/3l5QcgJeiDks4StxVHT1bA
ADAMnetworks
https://adamnet.works
Why DNS Is Your First Line of Cyber Defense
Intro: Deep in the digital shadows where threats hide behind any random byte. A fearless crew of cybersecurity warriors guards the line between chaos and order their epic battles rarely spoken of until today. Welcome to the Defender’s Log, where we crack open the secrets of top security chiefs, CISOs, and Architects who faced the abyss and won. Here’s your host, David Redekop.
David Redekop: Welcome back to The Defender’s Log. This is episode 20 and I’m really glad to have Chris Buijs with me today. Chris, welcome.
Chris Buijs: Thank you. Thank you for having me.
David Redekop: Did I pronounce your name properly?
Chris Buijs: “Boughs”. No, don’t worry about it. Everybody gets it wrong. Bujis.
David Redekop: You know, in Dale Carnegie training that I went through a number of times, a number of years ago, there was one particular episode, episode we call it, no, we call it a session. And in that session, it was about the importance of a name. It is literally the sweetest sound to your ear, having your own name. And so ever since then, it’s been important to me to at least attempt to pronounce the name correctly, so.
Chris Buijs: The effort is appreciated.
David Redekop: Yeah. Yes. And what does the name 20 mean to you? Anything at all?
Chris Buijs: 20. Yeah, I live in Amsterdam and 20 is the area number, the area phone number. So if you do some local services, like a website or stuff like that it’s common to say Company 20 or Company zero 20. We identify with the local Amsterdam vibe, if you like.
David Redekop: Amsterdam really in so many ways, is such a hub for tech, especially cyber tech. And I’ve noticed this, that if you were to tell me, or if you were to quiz me and say, what percentage of the web when it comes to technical internet engineering kind of discussions happens in what language? I would say English is number one and Dutch is probably close to number two. Would that seem to make sense?
Chris Buijs: Here in Amsterdam, you mean? No, it’s mostly English, I would say in the tech scene.
David Redekop: Right, absolutely. It is mostly English and in fact, I find that my Dutch friends are very often more competent in English than many Canadians and Americans are.
Chris Buijs: No, you hear it a lot and that’s why it’s also the #1 Expat spot in Europe, I would say, not by numbers, but by viability, I would say. But English is very, very common because we do a lot of technology here and innovation. But it’s mostly the written sort of it instead of the selling of it, I would say, if that makes any sense. So we do lots of innovation on standardizations, protocols, all kinds of tech. You know, how to do it, how to figure it out, you know, breaking it in and then give it to someone to make it or operate it. So all those manuals need to be in English. Otherwise, you know, it would not work. And we’re an import-export country from hundreds of years. So English was, you know, the way to conquer the Brits, right? And go to America, you know, we have lots of history there as well.
David Redekop: There is fascinating history and there’s a lot of details in written history or oral history at the time about what the Dutch represented to the British. And it wasn’t flattering, it was not positive at all. And the height and the blonde hair color was, you know, kind of used against the Dutch. That which stood out. Yeah, it’s almost comical looking back at it now. But, no, we’re definitely very grateful for all the Dutch contribution to making the internet a better place. Chris, you and I met online and through various online resources. All people DNS eventually connect with each other, right?
Chris Buijs: Oh, yeah. No, no. It’s a very small community if you think about it worldwide. We all know each other at one point of time, and if you don’t know someone, you’ll get introduced very quickly like we did as well. It’s fascinating stuff. DNS is fascinating and you need to have a knack for it, I think. And I think all the people I meet that stay in contact, they all have knack or is crazy or insane. It’s close to insanity, I would say, but it’s true. Yeah. You meet so much nice people and they are not many, but if you meet them, they are all great, somehow it’s a good club of people.
David Redekop: Yes. And it’s not a space that ever stands still. You would think that at some point we would reach a level of stability, a level of maturity, a level of, you know, steady state. And that we have yet to arrive at that because every single time there is a new dynamic in terms of how internet security develops. DNS necessarily needs to keep up, and yet we can’t break anything from the past, right? So there is this ongoing effort of keeping up with the new without breaking the past, and kind of gives an appreciation for, you know, what Microsoft does, you know. Let’s give credit where credit is due, that if you’re going to have a long living protocol or long living operating system, long living anything, and there’s a dynamic that requires you to keep up but not break anything. Over time, that does get complex. And so that’s where we are today.
Chris Buijs: Oh yeah. It’s a bolt-on protocol. And, you know, it is the protocol with the most RFCs or anything with the most RFCs anyway, because we’re building on all kinds of security features and encryption and all kinds of whatever because it’s important. So we stay moving in the direction of making it better, safer, faster, you know, whatever it is, right? So, yeah.
David Redekop: Right. When we first started writing our own resolver, it was like, “How many of these RFCs do we want to be compliant with?” And the list just kept on growing and growing and growing. Chris, I would be very interested for us and our audience to hear your origin story. What was your childhood like that led you down the path of being interested in technology in general?
Chris Buijs: I think it was around the time period where you had the Commodores and the Ataris and all the British boxes out there. That got me in because school started doing it as well. So I got introduced via school and via buddies, basically, and started programming because that’s what you did. Because you could not sell on the corner shop something software or game or whatever. So you wrote it yourself. So programming was really a thing that you did, at that time for educational purposes but also, you know, at home as hobby. So that got me in touch with technology, I would say, in the early age. And then later on, I kind of went into the electric engineering role, not because of it, but, there’s kind of a connecting story there to become an electrician. And one of my first jobs was, you know, pulling cables and rolls and all this kind of good stuff. And that was in the era that network cabling became a thing, you know, offices needed network cables to run Token Ring in that era of ATM. So I was the guy that was pulling those cables and so all these blinking lights in the closets and all this kind of stuff, and I said, that’s cool. So I started doing more and more. And when you get in touch with those people that need your cables, if you can say it like this, they’re gonna tell you a little bit of this, a little bit of that. And I find that highly interested. So I left electrician behind and went on some courses to, you know, for ICT or they call it, I think they still call it like this or IT, or whatever they call it, you know, but networking, basically, operational networking, build networks. So that was my first step. And this was all Token Ring IBM technology match, you know, as an Israeli clone of Token Ring, bit older networking software around it, protocols, lan manager was one of the first one I would say, Banyan VINES and NetWare, you know, SPX/ipx, all this kind of stuff. VIP, no, TCP/IP yet, it didn’t exist yet. It existed somewhere on ARPA or DARPA, but not on corporate networks yet. So, and then the story of this multi-stack started, you know, we had net bias even some TCP appear early, and we had multi-stack, and that was kind of unmanageable. And I go, and I went in that, I said, okay, I can build networks, I can architect them, I can physically build them. But now we also need to see how we can build them the best way to comprehend all this multi-stack mess. Because that was what it was and it was not as big as now, right? But it was expensive. Very expensive. It needs to be put into something to the equation of the bottom line. So it was lots of automation. You know, this was when PCs came in and all this kind of stuff. And that went well for a couple years. And then TCP only, TCP/IP only, networks, you know, and printless office. That was kind of the two things that were combined. So we went to TCP/IP and voila we also had ethernet now all of a sudden, so all this cabling stuff, we gonna do it again. And DHCP, DNS, NTP, NetBIOS, WINS, all this kind of protocols needed to be operating on the network to make sure that, you know, everything went from A to B. So multi-stack, one single stack tcp/ip only, and these networks were growing quite fast. This is the 90s, I would say, beginning half of the 90s, where we had so many protocols and IP addresses and stuff like that. We didn’t do Excel yet then. I think it was Just vi. Host files and vi. And that was an area where you started to say, hey, you know, we need to automate this. We cannot keep track. And if we can pull it from the network or push it to the network and configure it remotely, you know, the switches, these routers and all this kind of good stuff, you know, we do that. So we started writing our own scripts, you know, and maybe some software that was available from some network vendor. Started managing those networks to make 'em sizable. And this is where I got introduced mostly to the IP, DNS, DSP, NTP stuff. And I started looking for management software that does it. So we ended up with QIP, we were one of the first partners of Quadritek at the time that started QIP, which is DDI, you know, (DNS, DHCP, IPAM IP address management) to manage those networkers on the protocol level to make, you know, provision networks and make sure that if you plug something in, it gets an IP address and it works, you know, very exciting stuff. We took it from there and then we became kind of as a group of people that did stuff and we went away and more from the networking and more on the provisioning side of story. Big networks like enterprise network, telcos and all this kind of stuff. And the more we did that, the more we wanted to automate because first, it was static IP addressing, you know, it was not scalable at all. So DHP came in. And then Microsoft came along with their active directory crap. Sorry, I said that because it is, which was completely not scalable, but it came with all the services that you need to run a network without having knowledge. Right? And we saw that happening and it became quite messy in lots of environments. And we said, hey, you know, we need to do something, we need to push for better, higher grade services, network services, because this is important stuff. If a network service goes down, DNS goes down, everything goes down, right? No DHP, no IP address, no business. So that was really where we said, hey, we need to make this more serious. You know, we need to tell the market. That they need to take care of this, like security. You need to take care of provisioning, you need to take care of your assets. What’s happening on your network? Are you using it well? You know, can you improve it? Can you optimize it? All this kind of stuff. Which comes with the services because you just look at the logs, right? And then you get a lot of information, you can do something with it. So we did a lot of stuff there. And then there’s DNS thing, you know, caught my mind. And I love DNS, I really love it and you can use it for so many things. If you have the right version in the right spot, in the right architecture and those kind of stuff, you can really leverage it for a lot of stuff without spending a lot of money on security solutions, for example, or network management solutions that don’t make any sense. Because at that time, what you saw is, you know, you were running a Cisco network, you were not running a company network or you were running a checkpoint security network or infrastructure, not a company network infrastructure. Right? So you just copied what the vendor said and then you let it run and it came with all the software like Active Directory. Right? And what you saw is that the knowledge on this part became very scarce because you know, you switch it on, you know, we install a Microsoft Active Directory server and DHCP and DNS just runs, you know, and that’s fine. You know, it doesn’t break, it runs, it’s slow maybe, but, you know, no problem. So the knowledge on this kind of protocols and on this kind of level of networking and especially on the security side was very terse and we saw that as an opportunity, you know, and said, okay, we’re gonna take care of that for you and make sure that it is secure and is fast and nice and whatever and you’ll also have information and you have visibility and inventory and, you know, whatever you want. Right? So that was a good business. Still doing that till today where DNS is still, you know, one of my favorite hobbies professionally and privately and helping companies just to architect it Right. And include it in your security posture and include it in your architecture and don’t say, you know, oh, it comes with Microsoft. So we just switch it on and, you know, we’re on page 24 of the manual and we will be fine because that’s the recommendation, and that’s just not enough and this is knowledge-lack. So I try to spread knowledge on this, which becomes more and more difficult by the day. But it’s good for business because of it. So yeah, that’s kind of the story. I gave you the short one because it went, I can go very deep on a network level, especially on Cisco and Syslogging and query-logging and all this kind of stuff where you have feasibility kind of stuff. And then later on I was still doing that, but more in steering, leadership, evangelist, trainer kind of stuff, you know, to share this expertise and say, hey, we need more people that know this, so we get better networks out of it, which is needed still.
David Redekop: Very interesting, Chris. Very interesting. I’m gonna go back to your light bulb moment when you said DNS! This is it! This is the interesting thing! because everything that led up to that point was a series of steps to get to the point where DNS works, right? We sometimes have arguments about whether what kind of our protocol DNS is and what the level of the OSI it runs at, and my answer usually is, “well, everything from 2-7 depending on how you use it.” But at the end of the day, it’s a layer 7 application, so you need to have a number of building blocks in order to get there.
Chris Buijs: It’s funny that you said that, level 7. It’s a pain in my heart to admit that you’re right on it because I’m still a networker. For me, it’s level 3, all the way. Yeah. But from a perspective that you need to have. Absolutely. And it came again with this, I don’t wanna bash Microsoft Active Directory at all, but it came a little bit with Microsoft, where they positioned it as an application because it runs on an operating system and it makes complete sense and there was a light bulb moment there in as well where they said, hey, if you say level 7, there is all of a sudden more interest for it from the networking guys, from the security guys, from leadership, from decision makers and stuff like that, because then now they get it somehow because level 3 is, you know, that’s mystical and, you know, magic and all that kind of stuff. And then, you know, they made it more easier to sell it. I would say, from a product level or from a knowledge level or get buy-in and all this kind of stuff, so I fully agree. but I also disagree a little, you know, in my heart.
David Redekop: Yeah. No, I completely get, I completely get it. Especially because the things that are at layer 3 tend to be a set-it-and-forget-it kind of thing. And that’s where even to this day, a lot of layer 3 functionality is a monitor it, but you don’t need to have this continuous defense posture. And in your writing in SC Media, I noticed that you have pointed that out, that traditional IT Ops teams were used to this, a set-it-and-forget-it mentality, and now needed to make that shift towards Dev-Sec-Ops, where it’s about this continuous defense mindset. When did that first become obvious to you?
Chris Buijs: Well, downtime, right? That’s was the #1. You know, and it’s, you know, the haiku, “it’s always DNS.” This is how this, this is where it all started with where, you know, especially in the beginning when we transitioned from host files to DNS because you needed DNS for distribution and auto-updates and all this kind of good stuff, right? So now things became automated, so it also goes automatically wrong because it’s all new and all this kind of things. So we had massive downtimes, you know, and this was in a time, if it was down for an hour. It kind of was not nice, but, you know, we were not, you know, losing millions of dollars or millions of euros. Right. But nowadays, if DNS goes down, it’s not only the impact of the network owner, but it’s also affecting your business or, in the worst case, even business of other people. And then, you know, you always see it’s, I think a good example is Facebook and Cloudflares of this world that have an outage. And when it’s DNS, you notice, I always see a red flag. So if they know what it was, they immediately report on it an hour later, “we fixed it. This was it. Configuration issue, whatever, lalalalala.” But if it’s DNS, it’s always a week later, or it’s always two weeks later because they’re looking at the wrong places. They don’t do, you know, so I’m an old debugger on networks. I start with layer 0 and then go to layer up to layer seven, right? Not the other way down. And you see with, especially with SaaS and cloud, you know, they are level 7, right? So of course they’re gonna go from level 7 down, but it takes you a lot of time to do so, to do the debugging. So that was for me. Where I get like, okay, the impact of this is that “we need to do it well” because if I have a wrong comma in some text file, the business stands still. So this is how important it is, and it’s still difficult to sell this because, and it’s kind of a problem with DNS that it kind of always works, you know, set-it-and-forget-it, as you said. And if it works, it works well for a long time. And then when it goes down and there’s trouble. People have trouble to identify that it is DNS. They don’t automatically make the hook with DNS. I do it instantaneously. I go directly to DNS because I’m a DNS guy. Right. But most companies don’t and I think there’s a couple of reasons for this, which is kind of, it comes back to my storytelling to lots of companies as well. So, you know, who owns DNS in a company for example? You know, mostly it’s the networking guys, or it’s the Microsoft guys, but not the security guys, for example, or any mix, you know, depending on size of companies and all this kind of stuff. So before you get everybody on board and, you know, fixes broken communication between departments, you already have, you know, downtime grows. And that’s what I said earlier, it needs to be part of your architecture, DNS, DHP, and all this networking provisioning protocols need to be part of your architecture and part of your stack. So all this full-stack nonsense I’m hearing continuously nowadays with CI/CD and full-stack development and stuff like that. And they go like, “what are you using for DNS?” “Oh, it’s there, it’s in docker.” whatever. I said, no, see, there you go again. We automate the hell out of everything. Beautiful. Really I love it. But then we forgot DNS again, we’re happy to spend 10 million on a firewall, but 10,000 euros on a good DNS server is kind of the most difficult thing to do or something because it always is up. And it costs “nothing” (between quotes). This Microsoft servers, DNS is included, so it’s for free, right? Yeah. This is all nonsense of course, but this is the perception that you need to break and All companies, all bigger companies have this perception. It runs. We can blame Microsoft or we can blame some other vendor or whatever because it’s part of the architecture, because, you know, we’re using it.
David Redekop: I constantly see the same. You probably are also a witness to this, where 7, 8, 9 figure topline companies that have their endpoints’ DNS pointing directly to their active directory DNS. Just the prevalence of that one default alone tells me that you are right in your broader assessment that DNS is not thought about proactively. And we find the same thing about the DNS folks or the ones that carry that responsibility are very often not part the larger the organization, the more isolated they are and the less influence they have on the networking team, the less influence they have on the security team . so, in a larger enterprise, you we’re talking about dealing with three separate and distinct teams: security, networking, and the lonely DNS just to do DNS correctly, and then to try to corral 'em together to agree on something. Everybody feels like their domain is being trotted upon when a good idea or a good strategic step forward is being proposed.
Chris Buijs: They are also not investing DNS, right? One of the things to add to that. because I worked with lots of the bigger, the top 500 enterprise in the world. Not to pat myself on the shoulder, but I did. And what you’re seeing is that the DNS team, for a big bank worldwide is maybe three people, you know, so the investment in that kind of department is so low that it disappears from the charge, right? So, and with that, the seriousness or the importance as well, because it’s not costing anything, you know, compared to a security team, for example, it’s cost hundreds of millions in larger organizations. So I think it’s also the voice they don’t have because of that or the politics around that is, you know, when it goes down it’s always like the DNS guys all said, “we told you so.” always, always. and nobody listens because there are three nerds in a 100,000 people company that is making sure everything works. I don’t know what it is exactly, I think it’s knowledge on the decision-making level. The DNS guys are not equipped to explain how DNS works and how important it is in the architecture, so we can help them with that. But it’s, you know, a lot of work. But it’s also money, you know. How much do you need? Yeah. 10,000, 20,000. Oh. But, can we not use this DNS thing from Microsoft or whatever? So they’re battling, constantly battling and we need to help those guys a little bit more, which I’ve been doing for the past 25 years. It helps a little bit, but we need to do it absolutely more.
David Redekop: Right. Absolutely. Is there any particular strategy that you find that has worked? Because when you focus in areas that you’ve also written about, which is about moving towards automation, and the moment you have good quality of automation, you’ve got this human dividend, you’ve got a return of people’s expertise that are, that’s basically return in the form of availability of, you know, time and tasks. How do you convert that availability now to a defensive posture?
Chris Buijs: Well, it’s what you guys do with the Zero Trust, right? You turn it around. So you only trust what you can trust. but what I’m seeing is two things that goes a little against that. You now have application builders in the enterprise, for example. They built an application, they push a button, and it runs on the network and it is proficient. DNS, DHCP, the whole thing included. Security zones and whatnot. They actually don’t think about it because it’s the press of a button. So it’s not on their minds to build or architect an application that takes into account some stuff so it works even better or in conjunction with the security policies and all this kind of stuff instead of just template and you’ll be fine and we will see it in the audit. But the performance could be bad or even could be leaking or some security implications because of it because they don’t have it on their mind because they are just flushing out code, right? And what you see there is that having a process automated or not, it doesn’t really matter that thinks about the stuff where all these geniuses are together and think about it instead of different departments that come up with their own template. You know, you run three templates: a security template, the DNS template, and a provisioning template and you’ll be fine. And the conjunction of these three is far-fetched gap. There’s gaps and stuff like that, I’m not saying everybody but in general, I would say this is true and it’s not helping companies to deploy stuff, right? And in the worst case it comes with security implications. So having alignment, know what your company network is because this is the other problem that I was pointing out is that nobody knows what they’reยธ running. And #1 rule for me for automation is you need to know what you’re running what I’m seeing, the companies that have visited have their s**t together, you know, or their stuff together. Sorry. Is, you know, they have experts that look at the behavior of what’s happening or how is the network utilized? What’s the behavior of the network and connect the dots, you know, between the data and what the company needs and what the end users want. Because technical depth exists for a reason, for example, shadow IT exists for a reason because people are not happy with the facilities of the network, for example because it’s too slow. I use at home something better. I bring my iPad to work, you know, whatever. So you need to connect those dots, you said, “okay, how can we still have a high grade of usability? How can we influence behavior?” Because it could be simple as giving a training, you know, I don’t want to go down that route because we have training for everything nowadays, but it is important. So education, I would say, knowledge build up is number one in my book. If you don’t know how your network operates or you cannot measure it, you know, spend time on this to get it because otherwise it’s right there’s no point.
David Redekop: Yeah, there has to be an element of curiosity, right?
Chris Buijs: Yeah. You need to like it.
David Redekop: Yes, there has to be an unsatiating kind of hunger for the next, right? For doing things better for just a non-stop pursuit. It isn’t a target that you reach, it is an attitudinal positioning of always continuing to explore the next level. And what’s interesting I find is that when you identify those people, do you actually end up being, or when you identify those people, that’s when you actually see the next level of innovation kind of come to light or the need for the next level of innovation come to light. So, I’m always excited to see people that have demonstrated over a period of time that non-stop hunger for better understanding that can then immediately be applied for a client benefit somewhere.
Chris Buijs: Yeah. And connect those dots, what does it mean for the business, right? Because I see a lot of things introduced on the network where you can have this, it’s a very famous word in English. It’s, “why?” So it’s like, you know, “why did you do that?” You know, and they go, like, “oh, it’s good for the business.” Why it’s good for the business and, you know, the “5 Whys.” I love this, I love. This is my mantra. You ask deep enough and it’s, like, oh, I played golf with a buddy and he said that was good stuff. You know, not enough. So you see that lots of management decisions are made uninformed because they do not care. They just want to hear the story and move on and I think this is lack of curiosity, as you name it. But it’s a lack of interest, you know, if it’s your hobby, you know, DNS is my hobby, so I love going into big enterprises to see how they operate because yum, yum, yum, popcorn, right? So I love that because I, you know, if I don’t have that how would I know?
David Redekop: I set up a web server and a DNS server at a never before used public IPv4 address last night. And I thought, I’m very curious what is going to be my first hit on my interface. And believe it or not the very first, actually, I’m going to ask you. What do you think? What do you guess was the very first hit?
Chris Buijs: Query wise? Or yes DNS query wise. Um well I have a couple of these edge nodes running myself, right. So what I see when I start something new up, it’s lots of DDR, actually, somehow. But it’s, you know, you have this public list of how can I test the connection, connectivity.android.com. Google.com. There is this specific list, and I see this list. I see lots of domains and these are most of the domain scanners of suns, for example, or, you know, the census guys. These are the first guys I see almost every time.
David Redekop: Absolutely. We find the same thing. For outgoing traffic, the very first thing are the connectivity checks. So for endpoints, that’s trying to connect online, it’s iOS will always go to like captive.apple.com, for example. But when you stand something up on a public interface for others to discover and you’ve never served DNS there before, I was not surprised. But it’s like almost surprised when I saw the very first question was from for direct.shodan.io. Like, so that’s how those guys are staying super current because every once in a while I’ll stand up a device and online and wait, and see how long it takes Shodan to discover it. And it’s very, very fast. Census is like that too, that’s for sure. And Yeah. what’s your average time in experience before you get the first hit? You fire it up and then it takes, for me, it’s like five, six minutes. That’s it. I don’t even think it was more than a few minutes, and boom, there was the first query. Then, right after that, then TXT, bind.version, chaos Query started coming through because of course, DNS is one of those things that has to be public-facing for public resolvers. And because there are known vulnerabilities, of course, it would make sense that right away you’d be checking what version of a DNS server is running here, so.
Chris Buijs: The funny thing is I see more queries coming from Open Resolver Labs and all this kind of stuff to see if there’s open resolvers and make a report about it than actually bad actors. So I get more hits from scanners than the bad people. But, what’s interesting, for, an amplification attack, okay, you can home routers is a good target because if you have 100,000 zombies doing your job, that’s great. But why would I attack a home DNS server because I can steal 1,000 euros from your bank account? I dunno. You know, spend five euros to get ten, right? So I don’t know if that’s a good deal, but for larger organizations, of course. But amplification attacks, you know, the IoT stuff that is used as amplificator, and these are the worst devices on your network, the televisions and the barcode scanners and all this kind of crap.
David Redekop: Yeah. Every defender out there, by now, I would hope, would be blocking the two most abused amplification protocols, which are DNS UDP53 and NTP UDP123 to make sure that your network cannot reach out to those protocols to the internet period because they should be served internally. But it’s amazing how often those are still wide open. And partially it’s because so many IoT devices are still shipping with the only way they’ll function is if those IOT devices on startup can reach their own NTP server, right? So we’re dealing with an ecosystem that,
Chris Buijs: But I see a lot of NTP attacks as well. So I worked for this big bank where we did serious stuff on NTP. And banks or the financial sector is very interesting to attack with NTP because it’s very transactional, you know, it’s time-based. So we we had lots of GPS, not even NTP protocol, but GPS time attacks by little fans next to the data center. You know, sending fake GPS signals just to disrupt time because that was enough to disrupt transactions, you know, money transactions. And that was just to disrupt, you know, for all kinds of stuff. So they got the guys, you know, the secret police and stuff like this. I cannot share a lot about it, but it shows that, you know, if that’s already happening on that level, then NTP is like child’s play.
David Redekop: Absolutely. Yeah. I mean, the defenders have to cover all defenses, but the offenders just need to find whatever is the most exploitable weakness at any point in time. You know, with you being decades in the industry, you’ve probably seen a lot of next generation tools come and go. And if you look back at that journey, is there any one particular defensive principle that’s held for 20 years?
Chris Buijs: Oh, access lists, but that’s it.
David Redekop: Yes, I still rely on access list all the time. Like, I have public-facing services in a variety of sites, but I would never dare, you know, leave those services, you know, open to the world. No, no. I still use TSIG to, you know, give people a key that want to use my DNS server or, you know, in companies. And, the funny thing about TSIG is that even now with companies that making hundreds of billions a year, they don’t even support it. They don’t even have it, you know. And I go like, okay, you know, that’s again, the story. You know, what’s the positioning? You know, do they call it a safe DNS or DNS, you know. And they never called it a safe DNS, so what are we complaining about? Right? You get into what you get into, so there’s lots of storytelling and lots of knowledge and the lack of knowledge and the number of people not only in security and in events, but also on DNS and NTP and all these kind of low-level protocols that makes networks operatable. It’s getting less and less because they just, next, next, finish with your YAML file that just does everything for you to make your farting app work on the internet, right? So, yeah, that comes with lots of attack factors and lots of possibilities for security hackers and whatever to utilize in their attack as well. So we’re deploying so much containers and entities on the internet that are so unsafe and can be utilized and will be utilized, you know, if Census can scan my DNS server in five minutes, let alone, you know, people that are doing this for their job. So, yeah. But I’m kind of dualistic on it. I think it’s going in the right direction, but it’s also going in the wrong direction at the same time. Chris, this has been a real joyful experience for me to have a conversation with someone across the pond, as we say, that really has been in this space for as long as we have. And, I look really look forward to spending more time with you and figuring out where our paths cross further. But is there any one last piece of wisdom or advice that you’d like to leave the Defender’s audience with? Any last piece of wisdom or advice?
Chris Buijs: Just integrate and have DNS part of your security posture included and not do it separately or define it separately. You know, and you really need it as a whole architecture, as a full stack almost. That’s my advice, and if you need to do that by changing processes or organization, do it because the benefits are real.
David Redekop: So that is in complete agreement with my thinking is always defensive posture and DNS is your first and last line of defense. You can fit a lot of other details and integrate in the middle, but if it’s the first and the last line of defense, then you’re really making good intelligent use of defensive DNS.
Chris Buijs: Absolutely, cannot agree more.
David Redekop: Chris, it’s been so good to get to know you. Thank you for your time today and hope your weather turns out a little bit nicer than ours. It’s end of April here and yet it was below zero this morning, so.
Chris Buijs: Oh, no. We have like 10 degrees, so we’re, good.
David Redekop: Oh, you’re good. Alright, well I’m coming over very shortly. So I’ll see you soon. Take care. Bye for now, Chris. Bye.
Outro: The Defender’s log requires more than a conversation. It takes action, research, and collective wisdom. If today’s episode resonated with you, we’d love to hear your insights, join the conversation, and help us shape the future together. We will be back with more stories, strategies, and real world solutions that are making a difference for everyone. In the meantime, be sure to subscribe, rate, write a review, and share it with someone you think would benefit from it too. Thanks for listening, and we’ll see you on the next episode.
1 post - 1 participant
The post TDL 020 | Why DNS Is Your First Line of Cyber Defense | Chris Buijs appeared first on Security Boulevard.
For most security teams today, volume and access to intelligence isn’t the problem. It’s the speed at which they can turn that intelligence into action.
Over the last decade, organizations have invested heavily in threat intelligence and cybersecurity. Global security spending has surged past $200 billion annually, growing double digits year over year, while security’s share of IT budgets has climbed from under 9% to more than 13%. Most CISOs report continued budget increases, and enterprises are making billion-dollar investments in intelligence capabilities.
And yet, breaches still happen. Fraud still slips through. Third-party risk still catches teams off guard. The issue isn’t visibility. It’s the growing gap between how fast threats move and how fast organizations can respond.
Attackers now operate at machine speed, leveraging automation and AI to identify vulnerabilities, launch campaigns, and exploit opportunities in real time. Most security teams, however, are still constrained by manual workflows, fragmented systems, and processes that require human intervention at every step. That mismatch is where risk can accumulate—and where even well-resourced teams fall behind.
For many organizations, this gap shows up in subtle but compounding ways. Analysts spend hours triaging alerts, trying to determine which signals actually matter. Security teams often discover incidents after damage has already occurred, not because the data wasn’t there, but because it couldn’t be acted on quickly enough. Across the organization, teams responsible for cyber operations, fraud, and third-party risk operate in silos, each with their own tools and workflows, rarely sharing a unified view of risk.
At the same time, expectations from leadership have shifted. Executives and boards no longer want activity metrics—they want clear evidence that security investments are reducing business risk. But when intelligence is not clearly connected to action from security teams, that proof becomes difficult to deliver.
Traditional threat intelligence was designed to inform decisions made by humans, at human speed. In today’s environment, that model introduces delay. And delay, in cybersecurity, is increasingly indistinguishable from exposure.
Closing the speed gap requires more than incremental improvements. It requires a shift in how organizations think about intelligence altogether. Moving forward, the future of cybersecurity must be more than just intelligence-led—it must be intelligence-acted.
In this model, intelligence doesn’t sit in dashboards waiting for analysts to interpret it. It continuously correlates signals, prioritizes what matters, and drives action across the security environment automatically. Instead of asking teams to move faster, it enables the entire system to operate at the speed of the threat.
This is the foundation of autonomous defense, and it’s the future of effective, machine-speed cybersecurity.
Autonomous defense fundamentally changes the role of the security team. Rather than serving as the bottleneck between detection and response, analysts become decision-makers operating on top of continuously running intelligence.
Recorded Future’s Autonomous Threat Operations brings this model to life by eliminating the manual steps that slow teams down. It ingests and correlates intelligence from multiple sources, applies context in real time, and triggers actions across existing security tools—all without requiring constant human input.
The impact of such a dramatic shift is immediate and measurable. Threat hunting becomes continuous instead of periodic. Alerts arrive enriched with context, reducing the time needed to investigate and respond. Detection and remediation workflows execute automatically, freeing analysts to focus on strategic threats rather than routine triage.
Just as importantly, this approach transforms how organizations measure success. Instead of tracking activity—alerts processed, queries written, incidents reviewed—teams can demonstrate real outcomes: faster response times, reduced exposure, and a clearer connection between intelligence and risk reduction; the latter of which is becoming increasingly necessary for organizational buy-in.
This is so much more than just adding another tool to the stack. Instead, it’s about making every existing control smarter, faster, and more effective. And it’s paying off. On average, security teams using Recorded Future save up to 100 hours per week through improved analyst productivity, allowing teams to redirect effort toward threat hunting and proactive defense instead of repetitive manual analysis.
Speed alone, however, is only part of the equation. Many organizations are also limited by how they view risk. Threats today don’t respect organizational boundaries. A phishing campaign can lead to credential theft, which can then be used to access systems, exploit third-party relationships, or enable fraudulent transactions. These events are connected, but still far too many organizations manage them in isolation.
Cyber operations teams focus on internal threats. Fraud teams monitor transactions. Risk teams assess vendors. Each group has visibility into part of the problem, but no one has a complete picture. This fragmentation creates blind spots, and attackers are increasingly skilled at navigating between them.
To effectively reduce risk, organizations need more than faster response times. They need a connected understanding of their entire attack surface, along with the ability to act across it in a coordinated way.
Recorded Future addresses this through four core solution areas—Cyber Operations, Digital Risk Protection, Third-Party Risk, and Payment Fraud Intelligence—all built on a single, integrated intelligence foundation.
In cyber operations, this means moving beyond alert overload to real-time prioritization. Instead of forcing analysts to sift through volumes of data, intelligence surfaces the threats that are most relevant to the organization’s environment and enables immediate action. The combination of prioritization and automation allows teams to reduce noise while improving both detection speed and response quality.
In digital risk protection, the focus shifts beyond the traditional perimeter. Today’s attackers target brands, customers, and executives just as frequently as they target infrastructure. By monitoring the open, deep, and dark web, Recorded Future provides visibility into impersonation campaigns, credential exposure, and emerging threats long before they impact the organization. More importantly, it enables rapid response, whether that means taking down fraudulent domains or preventing account takeover attempts.
Third-party risk represents another growing challenge. As organizations expand their ecosystems, they inherit risk from vendors and partners, often without real-time visibility. Third-party involvement in breaches has reached a staggering 30%, up from just 15% a year ago. Static assessments and periodic reviews can’t keep pace with how quickly vendor risk evolves today. Continuous monitoring, grounded in real-world intelligence, allows organizations to detect issues earlier, respond faster, and maintain a more accurate understanding of their exposure.
Natalie Salisbury
Strategic Threat Intelligence Analyst, Novavax
In the realm of payment fraud intelligence, the shift is equally significant. There were some 269 million records posted across dark and clear web platforms in 2024, and a tripling of certain e-skimmer infections. It’s important to keep in mind that fraud doesn’t begin at the moment of transaction. Rather, it begins much earlier, in the environments where stolen data is exchanged and tested. Recorded Future provides comprehensive coverage across the complete payment fraud lifecycle. Sophisticated cleanup and normalization techniques result in better data quality and richer data sets, reducing manual research and enabling high confidence mitigation actions. By identifying these signals upstream and intervening, organizations can stop fraud before it’s executed, reducing both financial loss and customer impact.
What makes this approach fundamentally different is that these capabilities are not delivered as isolated solutions. They are unified through the Recorded Future Intelligence Platform, which correlates data across millions of sources and billions of entities to provide a single, coherent view of risk.
This unified foundation enables organizations to connect signals that would otherwise remain siloed. Threat actors, infrastructure, vulnerabilities, and campaigns are all linked, allowing teams to understand not just what is happening, but what is likely to happen next.
That level of visibility is what makes autonomous defense possible. And not just within a single domain, but across the entire attack surface.
The urgency behind this shift cannot be overstated. Attackers are already operating at machine speed, using automation to scale their efforts and reduce the time between discovery and exploitation. At the same time, organizations that rely on manual processes are finding it increasingly difficult to keep up.
The consequences of this gap are significant. Longer dwell times allow attackers to entrench themselves more deeply. Delayed responses increase the cost and impact of incidents. And as breaches and fraud events become more visible, customer trust becomes harder to maintain.
This is no longer a question of optimization. It’s a question of whether existing operating models can keep pace with the reality of modern threats.
As organizations evaluate their approach to cybersecurity, the role of threat intelligence needs to be reconsidered. It is no longer enough for intelligence to provide visibility. It must enable action. It must operate in real time. And it must extend across the full scope of organizational risk—not just one domain at a time.
Equally important, it must deliver outcomes that matter to the business. Faster detection, reduced exposure, and measurable risk reduction are no longer aspirational. They are essential for enterprise security in the modern, AI-powered threat landscape.
The goal for most organizations isn’t to replace their security stack. It’s to make it work better. By enabling intelligence to act autonomously, connecting visibility across domains, and aligning security operations with the speed of modern threats, organizations can close the gap that has long existed between insight and action. Recorded Future is built to make that possible.
If your team is still struggling with alert fatigue, delayed responses, or fragmented visibility, the issue may not be a lack of resources. It may be a limitation in how intelligence is being applied.
Now is the time to rethink that model.
Connect with Recorded Future to see how autonomous defense can help your organization move at the speed of today’s threats—and stay ahead of what comes next.
I spent an hour this week explaining to someone that no, ChatGPT cannot reliably fact-check itself, and yes, that’s a problem when your entire business strategy depends on it being right. They looked at me like I’d just told them Father Christmas works part-time at Argos. The Swing That Crosses Borders 40 Times a Minute … Continue reading Breach of Confidence: 24 April 2026 →
The post Breach of Confidence: 24 April 2026 appeared first on Security Boulevard.
Entrar